OWASP IoT Top 10 – Daniel Miessler



all right so my name is Daniel I run the IOT top 10 project and basically what I do have feedback session I was gonna do 10 minutes for slides but now I have like min and a half for slides that's fine so I ot security project is basically an umbrella of different projects there's lots of different ones the IOT top-10 is the one I'm specifically talking about today but there are other projects like general IOT bones not sure why it's flashing might be my side IOT recommendations there's a separate project just for IOT related to SCADA nice yes and there are also projects like a reference architectural project where you actually design what it should look like because the problem with these types of projects is you show people what you shouldn't do and they say fine what should I do right so that would be a really nice project to have the purpose for the IOT top 10 is basically the 10 worse things that you should avoid right so it's not it's not specifically Vons or threats or risks because you know you could talk for hours about what the differences are between those so the idea is here is just these are bad things don't do these things so this is the team and and briefly around the methodology of what we did we basically took a whole bunch of real-world vulnerabilities from tons of different databases and collected them all together and the whole purpose of doing that is basically to say what's actually being exploited in the wild right what do we actually care about so we went to nvd we went to the bugcrowd database we went to lots of internal bones from team members and friends of team members who brought it all together to basically collect that into a data set that we can analyze to make sure we're not forgetting something major and we basically weighted those based on how often we saw them then we went and looked basically every single IOT project that's been talked about or put out there in like the last several years so CSA and these Stanford NIST a bunch of different projects so this is what it looks like right now hopefully you can see that there's better visibility and later slide but this is currently what it looks like it's a little bit risk ranked with color just for the visual for later on but it's weak passwords basically as number one insecure network services number two in secure access interfaces this is a combination of all the different ways you would get to an IOT system right so it's it's basically merging together multiple things insecure outdated components this is probably a nightmare for everyone lack of secure update mechanism this one is pretty bad you know sending the update and clear text not signing the update having the update server be writable for the entire company's software things like that privacy protection this one goes without saying insecure data transfer and storage this is basically any time out of the IOT ecosystem you are sending or storing data in an insecure way physical hardening if if you can touch the system you can usually exploit it this is the one that I like the least right now and this is all draft this is all active conversation right we got like a hold another month or however long we need to finalize this I were actually put this one in here I in 2014 but I don't think I like it all that much anymore because it's kind of confusing between what a minute to mean was the manufacturer didn't give you sufficient options to secure the system they didn't give you ways to upgrade the encryption the the protocols that are used different types of options for securing it and they didn't provide those to you so it's a less secure system but when you read it it kind of looks like they failed you failed to actually configure it curriculum so I think it because it's not clear maybe we could change that and then device management this is where people are deploying like thousands or hundreds of thousands of systems out there and they're not really they don't know where they are they don't know the patch State and you've got sort of issues there so this is kind of the diff in 2014 when we first launched this the web interface was number one and then it was authentication authorization and there's a kind of like categories if you look at the left they're kind of like categories and then number three was network services and then all the individual cloud mobile and we didn't have API in here but cloud and mobile are broken out separately right and then software and firmware and then physical and so in the new one we've basically modified that and here are their main modifications we move passwords to the top network services to number two think of passwords as like I don't know the way I think of that is think of all the botnets right network services being number two think of what you could find a showdown for any particular vulnerable device combined access most methods so basically API cloud mobile all those are combined into that one issue added the storage issue to transport called out unsecure components specifically this is also where like supply chain will fall under right you're using insecure components you don't know where you're getting your stuff you're just assembling the widget of widgets and then shipping it out and then device management was at it so that was that so now let's just go into your strange feedback from the room and I'm gonna actively I'm gonna take notes this is what we do in our meetings and you are all part of the project now so we can basically just take feedback and hopefully you can see the list I on the right or on the left and just super raw thoughts on and we can go in order if you want so let's just do that so who doesn't think or doesn't like the password and this is a combination of weak guessable and hard coded being number one okay yeah yes sure this is just off the top of my head we're going through a similar exercise in my day job and I would put we're putting four in general not just for IOT but you know really update ability lack of secure update or any update ability is number one because without the ability to that you can't if we have that we can do most of the rest over time but without the ability to update we can't get to the rest of the stuff because we're never designed a perfect anything from day one so we're just I'm not saying that number one can't be number one but I would think I would take inability to update and maybe bump it up higher than the list now this that's perfect I think the key here is so one thing to think about here is we combined manufacturer enterprise concerns developer concerns and consumer concerns this is basically a meta list of like when you think of IOT going bad what is the number one problem in I I would say you know I would I would say symptom what is the number one thing that's actually hurting people not like a root cause because if we go back to root causes we're gonna end up at like one or two it's gonna be like it's gonna be a list of one that's gonna say management not focused on security right profit before security and the list will be done I agree with what you're saying because that is like an additional root cause like I agree if you can't do that you can't do a lot of other things but this is really a list of like acute pain this is like what's causing harm and some of the feedback has been like swapping one and two because you know in order for one to happen there's to be the service open usually facing the internet for it to get exploited but so so it's a weird mix it's a weird combination between ease ease of attack you know probability combined with the impact combined with the pervasiveness of the issue but that's good feedback I'm gonna take that back thoughts throw them out yeah yeah and when you mentioned a mobile app do you mean a mobile app controlling an IOT device or are you talking about just a mobile app inside your enterprise okay and what would be the main sort of thing to avoid the number one thing to avoid in that context furless like this like where would your attacker be would it be inside the network or what is this an internet facing thing okay the way that I would think about that is if it's internet facing then how do you off into it right and that's why if the if auth was bad then that's how they would get control of this this thing from the internet but I'll take that down so just basically ICS different perspective and feel free to hit me up afterwards as well if you want to get in this life channel talk about it alright this one's crazy what do you think about combining access methods because if you don't you actually take up three slots with mobile cloud API I mean you could even break it down further the idea was to not take three slots and just say don't just think about the device but also think about how you're getting to it and all those different individual methods can have their own vulnerabilities so generally do we like the combination do you think it should be broken out yeah a physical would be another access method that's fun that's funny I hadn't thought of that I guess I guess the combination it's amazing keeps doing that number three are all remote I guess that's the key right that's a good point oh that that's a good idea yeah yeah so what is it now insecure yeah take that two forwards and secure remote I think that is a good idea okay and then yeah insecure outdated components one discussion that we are having and by the way this discussion is on the wasp slack channel and its IOT – security and it's open the project team has always been open so you just show up you're like hey this should move up to this or you forgot this or whatever and we try to incorporate that so this one here the one thing we're thinking about is actually explicitly somehow saying supply chain because you know insecure components it I just feel like it's not quite high enough to call out directly yet although last couple of weeks have might have changed that priority some but but we are going to mention it in in the text itself the problem right now I probably saw that report that just came out that basically like 60% of like routers are just full of garbage from like six years ago like old custom web servers people are just assembling with broken Legos to build these things so I think that's pretty strong secure update mechanism obviously you like that being high you could even take it higher right okay sure yeah okay yeah yeah I've got it third-party software or hardware components I think because that exact point came up it's in the it's in the extra text yeah yep yeah no it's a good question I I would say that we wouldn't want to say in number one everyone needs to factor for all IOT because it's just too early I think nobody I mean we're trying to get we're trying to turn off HTTP at this point I don't think we could jump too strong off I do agree later on in our maturity we should absolutely get away from passwords but right now I think they should just not be horrible and also not be in a document yeah admin admin you just googled the device and you get the you know the user manual and it tells you exactly their credentials mm-hmm yeah she's asking about Mutual off yeah I think again just for the just for now because we're so far behind in IOT security just having a good off into the system would be good but down the line I mean all these things 5g coming out they're all gonna have to be mutual TLS and mutual cert off and that sort of thing so I I agree that that just probably will come later maybe 20 20 maybe 20 22 privacy privacy this seems kind of obvious what one issue I have with this one let's see what you guys think is that not storing or sending privacy information in a bad way it's kind of similar to this one isn't it so I feel like there's an opportunity maybe to merge those somehow physical hardening I originally didn't want this one on there because the attack method for most people hurting IOT devices is not to walk up to it so I feel like it's a Volm that it maybe you shouldn't be in the top ten I don't know you agree with that yes yeah yeah and if you have physical access what else can you do yeah yeah go to the the whiteboard and get the password so insufficient security configurability this one I'm starting to not like so it's it's basically the vendor did not provide enough security features good hey thanks for the offer no I just wrote that down that's good it's almost it's almost worth its own and this would be focused at the manufacturer not shipping device secure by default but that's a good idea and then device management how do you feel about this this I feel like this is a little bit farther out in terms of maturity of the industry this is basically saying look if you're a vendor and you have half a million devices out there do you have asset management do you know the current patch levels if something really bad happened how quickly could you update them so this is another one that's very manufactured focused do you feel like it should be in the top ten right now or do you feel like it should maybe be a 20 20 item 20 20 yeah it is it is very similar to that those are very similar okay anything you were thinking of when you think of IOT security and it's not on the list yep root of trust okay and this is so described like a scenario or a pain point around this okay so okay gotcha gotcha yeah at least privileged yeah this it's good and where where would you say that would be ranked so we're fairly high top five maybe potentially yeah okay any other things that just don't seem to be here that you think should be here okay and okay and what does that look like what is the pain point that you're thinking oh okay yeah yeah like yep that make sense so this is the deaf

One Comment

  1. Sergey Sotnikov said:

    Хочу такую кепку))

    June 30, 2019
    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *